Can the A5/1 algorithm be used as pseudo-random generator? 


by Alexander PUKALL 


AS5/1 used in 2G GSM networks, uses three LFSRs to generate a pseudo-random stream of 114 bits 
for each GSM frame (228 bits for the upframe and the downframe). 


The three LFSRs used are: 


X419 + x418 + x4174+ x%144+ 1, 
x422 + x421 4+ 1, 
X23 + x422 + x4214+x%8 4+ 1. 


Since the degrees of the three LFSRs are relatively prime, the period of this generator is the 
product of the periods of the three LFSRs. 


194+22+23 = 64 bits. Thus the period of A5/1 is 264 bits (2 to the power of 64), which is huge. 

One might therefore think that A5/1 can be used as a random number generator. 

This is not the case. As soon as the maximum period of the largest of the three LFSRs is reached, 
i.e. 8 MB, the data produced loses its randomness (the three LFSRs produce maximum periods of 


512 KB for 19-bit LFSR, 4 MB for 22-bit LFSR and 8 MB for 23-bit LFSR). 


It can easily be tested with the PractRand random number tester. 


The tests performed on Linux are as follows: 


The A5/1 version used is that of Marc Briceno, Ian Goldberg and David Wagner with the following 
modifications to produce an infinite pseudo random stream: 


void run(byte AtoBkeystream[], byte BtoAkeystream[]) { 
int 1; 
unsigned int bit, bits; 


unsigned char byte; 


bits = 0; 
byte = 0; 


/* Zero out the output buffers. */ 
for (i=0; i<=113/8; i++) 
AtoBkeystream[i] = BtoAkeystream[i] = 0; 


/* Generate 114 bits of keystream for the 
* A->B direction. Store it, MSB first. */ 
while(1) { 
clock(); 
bit=getbit(); 


byte = (byte << 1) | bit; 


// printf("%od", bit); 

bits++; 
if (bits ==8) 
{ 

printf(""%c" byte); 

bits = 0; 

byte = 0; 
} 

//AtoBkeystream[i/8] |= getbit() << (7-(i&7)); 
} 


This file can be downloaded here: (caution no https to connect) 


http://pcecipher.free.fr/a5- 1/a5-random-generator.c 


and can be compiled on Linux with: 


gcc a5-random-generator.c -o a5-random-generator 


Practrand can be downloaded here: 


https://pracrand.sourceforge.net/ 


The test is then run with: 


.a5-random-generator | rng_test stdin& 


RNG_test using PractRand version 0.94 
RNG = RNG_stdin&8, seed = unknown 
test set = core, folding = standard (8 bit) 


mg=RNG_stdin8, seed=unknown 
length= 256 kilobytes (218 bytes), time= 2.1 seconds 
no anomalies in 41 test result(s) 


mg=RNG_stdin8, seed=unknown 
length= 512 kilobytes (219 bytes), time= 7.2 seconds 
no anomalies in 50 test result(s) 


mg=RNG_stdin8, seed=unknown 
length= 1 megabyte (2’20 bytes), time= 14.7 seconds 
no anomalies in 56 test result(s) 


mg=RNG_stdin8, seed=unknown 
length= 2 megabytes (2421 bytes), time= 26.6 seconds 
no anomalies in 63 test result(s) 


mg=RNG_stdin8, seed=unknown 
length= 4 megabytes (222 bytes), time= 47.6 seconds 


no anomalies in 71 test result(s) 


mg=RNG_stdin&, seed=unknown 


length= 8 megabytes (2‘23 bytes), time= 86.7 seconds 
Test Name Raw Processed Evaluation 
Gap-16:A R= +17.8 p= 1.2e-14 FAIL! 
..and 75 test result(s) without anomalies 


A5/1 cannot therefore be used as pseudo-random generator. 


